CM-11 User-installed Software
a. Establish cm-11_odp.01 governing the installation of software by users;
b. Enforce software installation policies through the following methods: cm-11_odp.02 ; and
c. Monitor policy compliance cm-11_odp.03.
| Parameter ID | Definition |
|---|---|
| cm-11_odp.01 | policies |
| cm-11_odp.02 | methods |
| cm-11_odp.03 | frequency |
Baselines
- L
- M
- H
- P
Guidance
If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved "app stores." Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.
Control Enhancements 3
- CM-11(01) Alerts for Unauthorized Installations
- CM-11(02) Software Installation with Privileged Status L M H P
- CM-11(03) Automated Enforcement and Monitoring L M H P
Related controls 11
- AC-03 Access Enforcement L M H P
- AU-06 Audit Record Review, Analysis, and Reporting L M H P
- CM-02 Baseline Configuration L M H P
- CM-03 Configuration Change Control L M H P
- CM-05 Access Restrictions for Change L M H P
- CM-06 Configuration Settings L M H P
- CM-07 Least Functionality L M H P
- CM-08 System Component Inventory L M H P
- PL-04 Rules of Behavior L M H P
- SI-04 System Monitoring L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P